Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1
|
|
- Leonard Knight
- 8 years ago
- Views:
Transcription
1 Auditing a Web Application Brad Ruppert SANS Technology Institute GWAS Presentation 1
2 Objectives Define why application vulnerabilities exist Address Auditing Approach Discuss Information Interfaces Walk through Auditing Process Identify High Risk Vulnerabilities Outline Mitigating Solutions SANS Technology Institute GWAS Presentation 2
3 Background Applications provide the interface between our most sensitive assets: our data and our users Proper controls on information flow are of utmost importance Having a web presence is no longer nice to have; it s a requirement of most businesses Applications provide the interface between our most sensitive assets, our data, and our users. SANS Technology Institute GWAS Presentation 3 Therefore it is of utmost importance that applications exercise the proper controls when it comes to protecting the confidentiality, integrity, and availability of data.
4 Root Cause of App Vulnerabilities Security is not my job I get paid to make it work, not to be secure Businesses are driven by revenue and security often takes a backseat to development Lack of security awareness and application security training SANS Technology Institute GWAS Presentation 4 Unfortunately developers of most applications are provided objectives based solely on functionality and very little if any security measures are taken into account. After all, if it s not written into their job description, why should it concern them? This in turn produces applications containing multiple vulnerabilities ranging from weaknesses around input validation, error handling, session management, and failure to implement proper access controls. Sometimes it takes an exploited vulnerability resulting in a data breach or application defacement for developers and managers to realize the impact of having these weaknesses in their application. According to the SANS (SysAdmin, Audit, Network, Security) Institute Top 20 Internet Security Attack Targets, every week hundreds of vulnerabilities are being reported in web applications, and are being actively exploited. The number of attempted attacks every day for some of the large web hosting farms range from hundreds of thousands to even millions.
5 Auditing Approach Work with the developers to enhance education, rather than fault finding Be sensitive to discovering vulnerabilities; this is their baby Work with developers, QA, Configuration Management, and Project Managers to ensure everyone has their eyes on security and takes time to review it SANS Technology Institute GWAS Presentation 5
6 Where to Start Begin by collecting high level data flow diagrams Focus on four primary interfaces User Web Web App App App App Database Trace the data down to specific functions that request input or return output and document each function s name, file location, input/output arguments SANS Technology Institute GWAS Presentation 6
7 3 Most Important Aspects Data Validation Data Validation Data Validation SANS Technology Institute GWAS Presentation 7 Data validation Data validation is typically the number one cause for application errors or vulnerabilities. Proper controls need to be put in place to ensure the data received is what s expected and the data returned to the users is of an expected output as well. Taking the functions identified in where to start, examine each of these functions to ensure proper data validation (and if necessary data scrubbing) takes place. Particularly ensure the proper data type (numeric, alpha, or both) is being checked, proper length (min, max, or exact) is specified, if data is required or not, default value is specified (if applicable), and that functions to clean the data are written. Along with these high level recommendations, below is a checklist of best practice data validation.
8 Data Validation Data Validation is typically the number one cause for application errors or vulnerabilities Ensure the data received is what is expected and the data returned to the users is of an expected output Proper data type (numeric, alpha, or both) Proper length proper length (min, max, or exact) Data is required or not Default value is specified (if applicable) SANS Technology Institute GWAS Presentation 8 Perform Input Validation for All Inputs (prevent buffer overflow errors) Ensure asynchronous consistency to avoid timing and sequence errors, race conditions, deadlocks, order dependencies, synchronization errors, etc. Use Commit-or-Rollback semantics for exception handling Use multitasking and multithreading safely Set initial values for data Avoid or eliminate backdoors Avoid or eliminate shell escapes Validate configuration files before use Validate command-line parameters before use Validate environment variables before use Ensure communication connection queues cannot be exhausted
9 Data Protection Protecting sensitive information within the context of the application Many applications store and/or use sensitive information, and proper controls must be in place to protect this data Examine all functions requiring user input or providing user output to ensure proper data protection for any sensitive information being utilized Best Practice Resource connection strings must be encrypted Sensitive data should never be in code Cookies containing sensitive data should be encrypted Sensitive data should not be passed from page to page on client side SANS Technology Institute GWAS Presentation 9 Data protection Data protection addresses protecting sensitive information within the context of the application. Many applications store and/or use sensitive information, and proper controls must be in place to protect this data. Taking the functions identified in where to start above, examine each of these functions to ensure proper data protection for any sensitive information being utilized. Sensitive data such as resource connection strings (e.g., database) must be encrypted both in store and in transmission over public networks Sensitive or secret data values must never be used in code. Applications must include a do not remember me option to allow no session data to be stored on the client. All cookies containing sensitive or session-based information must be encrypted or transmitted over an encrypted channel. Sensitive data must not be passed from page to page in client side processing. Pages containing sensitive data must only retrieve the sensitive data on demand when it is needed instead of persisting or caching it in memory.
10 Error Handling A big component in application security often overlooked Examine the error handling of all functions to ensure the errors are sanitized to the point of providing need to know information back to the user Production applications should not provide the same error messages as used in development Best Practice Fail safe; do not fail open Error logs be synchronized with a time server Audit logs are legally protected; so protect them Reports and search logs should be read-only Applications should not run with administrator privileges so log files cannot be manipulated SANS Technology Institute GWAS Presentation 10 Error Handling Error handling is another big component to ensuring the stability of the application. Take the functions identified in Where to Start and ensure that proper error handling is written to handle exceptions. For any functions that return output to the user, ensure all error messages provide the user with the minimal amount of information needed to correct the error. Never display any errors to the user that would reveal information about the system or application itself. Ensure that your application has a safe mode which it can return if something truly unexpected occurs. If all else fails, log the user out and close the browser window. Production code should not be capable of producing debug messages. Assign log files the highest security protection, providing reassurance that you always have an effective 'black box' recorder if things go wrong. Simply be aware of different attacks. Take every security violation seriously, always get to the bottom of the cause event log errors and don't just dismiss errors unless you can be completely sure that you know it to be a technical problem.
11 Communication Security All sensitive information transferred between the primary interfaces User Web Web App App App App Database should be guarded against disclosure or alteration Typically this is handled by encryption as well as authentication Best Practice Ensure sensitive or personal data is never be passed in clear text through the URL String Ensure message freshness; even a valid message may present a danger if utilized in a replay attack Protect message integrity: Can I trust the caller? Did the caller create the message? Protect message confidentiality Calls to the database should use parameterized stored procedures SANS Technology Institute GWAS Presentation 11 Communication Security Any time sensitive information is transported between interfaces as identified in Where to Start, it should be protected from disclosure or alteration. This is typically handled by some means of encryption as well as authentication. Work with the developer to trace the data flow from the functions identified in Where to Start to ensure that proper encryption is taking place.
12 Authentication Authentication is establishing or confirming something (or someone) is who they claim to be Authentication of an individual should be validated prior to disclosing or providing any information specific to that individual Determine all areas where the user interface changes between public and privately visible information Best Practice Re-authenticate user for high value transactions and access to protected areas Authenticate the transaction, not the user With form-based authentication, use a trusted access control component rather than writing your own Use strong authentication (tokens, certificates, etc) SANS Technology Institute GWAS Presentation 12 Authentication Authentication is the act of establishing or confirming something (or someone) is who they claim to be. Authentication of an individual should be validated prior to disclosing or providing any information specific to that individual. Examine the interfaces identified in the Where to Start section above and determine all areas where the user interface changes between public and privately visible information. Work with the developer to determine when accountability needs to be ascertained and ensure all interfaces between these transitions require authentication.
13 Authorization Authorization is the process used to decide if person or program is allowed to have access to data, functionality or a service Once the application is certain a person is who they claim to be (authenticated), now we need to decide what permissions or visibility this user has access to Following up on the interfaces identified during the Authentication stage, now you want to examine the level of visibility or control the user will have and to what areas of the application Best Practice Principle of Least Privilege Only restricted and authorized users must have access to administrative interfaces used to manage site content and configuration Always start Access Control Lists using deny all and then adding only those roles and privileges necessary SANS Technology Institute GWAS Presentation 13 Authorization Authorization is the process used to decide if person or program is allowed to have access to data, functionality or a service. This is usually the follow-up step to authentication. Once the application is certain a person is who they claim to be (authenticated), now we need to decide what permissions or visibility this user has access to. Following up on the interfaces identified during the Authentication stage, now you want to examine the level of visibility or control the user will have and to what areas of the application. For larger applications, typically roles (or groups) are defined and users are assigned to a specific role within the application. Example roles could be: Administrator, HelpDesk, Customer, Reporting Analyst, etc. Work with the developer to identify the roles specific to the application you are auditing and gather the expected authorization (permissions, visibility, access) given to each of these roles. Then follow the transaction flow after the authentication process to examine how authorization is determined.
14 Session Management Session management follows authentication and authorization Includes all environment variables specific to that user and components used to maintain the user s state Sessions should be user specific and time specific as well Best Practice Authorization and role data should be stored on server side only Session identifiers should be as strong as possible Query strings should not contain session identifiers that represent authenticated users A session timeout length should be defined SANS Technology Institute GWAS Presentation 14 Session Management After the user has been authenticated and authorized within the application, it will be important to manage the user s session. This will include all environment variables specific to that user and components used to maintain the user s state. Therefore if the user has already logged in, they should not have to perform this function again during their session. Sessions should be user specific and time specific as well. Work with the developer to ensure that proper session security concerns are addressed by following the process flow after the authorization component. Make note of how sessions maintain uniqueness. What differentiates one session from another? Determine how session identifiers are created, stored, carried throughout the application, and destroyed. Best Practice Form data should not contain hidden fields if it is hidden, it probably needs to be protected and only available on the server side. However, hidden fields can (and should) be used for sequence protection and to prevent brute force pharming attacks Session Identifiers: A strong session identifier will have all (or most) of the following characteristics: Very hard to guess Length long enough to prevent brute force attacks Not related to any user information Expires on a pre-set date and cannot be reused/replayed Always transmitted over a secure path (SSL).
15 Summary Auditing an application can seem like a daunting task, but breaking it up piece by piece makes it achievable Identify interfaces and protect them first Proper data validation is a huge step to securing an application Work with developers to provide better coding practices SANS Technology Institute GWAS Presentation 15
Check list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationWeb Application Security Considerations
Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute
More informationWeb App Security Audit Services
locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London
More informationSession Management in Web Applications
Session Management in Web Applications Author: EUROSEC GmbH Chiffriertechnik & Sicherheit Tel: 06173 / 60850, www.eurosec.com EUROSEC GmbH Chiffriertechnik & Sicherheit, 2005 What is Web-based Session
More informationThreat Modeling. A workshop on how to create threat models by creating a hands-on example
Threat Modeling A workshop on how to create threat models by creating a hands-on example Introduction 2 Introduction 3 Part 1: Application- Layer Attacks A brief primer on some web application attacks
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationApplication Intrusion Detection
Application Intrusion Detection Drew Miller Black Hat Consulting Application Intrusion Detection Introduction Mitigating Exposures Monitoring Exposures Response Times Proactive Risk Analysis Summary Introduction
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationThe Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA
The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationThreat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda
Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationApplication Security Policy
Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationKEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it
More informationSecurity Test s i t ng Eileen Donlon CMSC 737 Spring 2008
Security Testing Eileen Donlon CMSC 737 Spring 2008 Testing for Security Functional tests Testing that role based security functions correctly Vulnerability scanning and penetration tests Testing whether
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationEvaluation of different Open Source Identity management Systems
Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationBasic & Advanced Administration for Citrix NetScaler 9.2
Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationE-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications
Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationExternal Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationPenetration Testing Scope Factors
1 NZ PAPER LINUX AND WEB APPLICATION SECURITY Penetration Testing Scope Factors April 20, 2013 Zeeshan Khan NZPAPER.BLOGSPOT.COM 2 Abstract: This paper contains the key points of penetration testing. All
More informationWordPress Security Scan Configuration
WordPress Security Scan Configuration To configure the - WordPress Security Scan - plugin in your WordPress driven Blog, login to WordPress as administrator, by simply entering the url_of_your_website/wp-admin
More informationInternet Banking System Web Application Penetration Test Report
Internet Banking System Web Application Penetration Test Report Kiev - 2014 1. Executive Summary This report represents the results of the Bank (hereinafter the Client) Internet Banking Web Application
More informationTaxonomic Modeling of Security Threats in Software Defined Networking
Taxonomic Modeling of Security Threats in Software Defined Networking Recent advances in software defined networking (SDN) provide an opportunity to create flexible and secure next-generation networks.
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationPenetration Testing: Lessons from the Field
Penetration Testing: Lessons from the Field CORE SECURITY TECHNOLOGIES SCS SERVICES May 2009 1 Agenda: About me: Alberto Soliño Director of Security Consulting Services at Core Security One of first five
More informationSiteminder Integration Guide
Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationServer Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Aliases 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical Access
More informationPenetration Testing. Presented by
Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More information<Insert Picture Here> Oracle Web Cache 11g Overview
Oracle Web Cache 11g Overview Oracle Web Cache Oracle Web Cache is a secure reverse proxy cache and a compression engine deployed between Browser and HTTP server Browser and Content
More informationSecurity in the Sauce Labs Cloud
SAUCE LABS REPORT Security in the Sauce Labs Cloud Practices and protocols used in Sauce s infrastructure and Sauce Connect Overview It s impossible to deny that in this day and age internet security should
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationNEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT
Appendix A to 11-02-P1-NJOIT NJ OFFICE OF INFORMATION TECHNOLOGY P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT The Intent
More informationSecurity in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect
Security in the Sauce Labs Cloud Practices and protocols used in Sauce s infrastructure and Sauce Connect Table of Contents page 2 page 4 page 6 page 8 page 9 page 10 page 11 Overview I. Sauce Labs Data
More informationDISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES
DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES By Michael Crouse Dr. Errin W. Fulp, Ph.D., Advisor Abstract The increasingly high volume of users on the web and their use of web
More informationSession Hijacking Exploiting TCP, UDP and HTTP Sessions
Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor shray.kapoor@gmail.com Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being
More informationSecurity Testing. How security testing is different Types of security attacks Threat modelling
Security Testing How security testing is different Types of security attacks Threat modelling Note: focus is on security of applications (not networks, operating systems) Security testing is about making
More informationSecurity Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions
Security Awareness For Website Administrators State of Illinois Central Management Services Security and Compliance Solutions Common Myths Myths I m a small target My data is not important enough We ve
More informationIDAM in the Cloud. March 11, 2015; Gunnar Peterson
IDAM in the Cloud March 11, 2015; Gunnar Peterson Session Overview What identity protection can be safely handled in the cloud and what functions still need to be on-premise? How to choose a CSP based
More informationDiscovering passwords in the memory
Discovering passwords in the memory Abhishek Kumar (abhishek.kumar@paladion.net) November 2003 Escalation of privileges is a common method of attack where a low privileged user exploits a vulnerability
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationHunting flaws in Microsoft SQL Server
Hunting flaws in Microsoft SQL Server Cesar Cerrudo Independant Security Researcher Aaron Newman CTO/Founder, Application Security, Inc. www.appsecinc.com 1 Outline Collecting passwords Elevating privileges
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationWEBSITE PRIVACY POLICY. Last modified 10/20/11
WEBSITE PRIVACY POLICY Last modified 10/20/11 1. Introduction 1.1 Questions. This website is owned and operated by. If you have any questions or concerns about our Privacy Policy, feel free to email us
More informationTable of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3
Open-Xchange Authentication & Session Handling Table of Contents 1.Introduction...3 2.System overview/implementation...4 2.1.Overview... 4 2.1.1.Access to IMAP back end services...4 2.1.2.Basic Implementation
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationAdvanced Administration for Citrix NetScaler 9.0 Platinum Edition
Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced
More informationSQL Injection January 23, 2013
Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationwhite SECURITY TESTING WHITE PAPER
white SECURITY TESTING WHITE PAPER Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion...
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationAn Insight into Cookie Security
An Insight into Cookie Security Today most websites and web based applications use cookies. Cookies are primarily used by the web server to track an authenticated user or other user specific details. This
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationDatabase Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG
Database Security Guideline Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG Table of Contents Chapter 1 Introduction... 4 1.1 Objective... 4 1.2 Prerequisites of this Guideline...
More informationSSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.
SSL-TLS VPN 3.0 Certification Report For: Array Networks, Inc. Prepared by: ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 USA http://www.icsalabs.com SSL-TLS VPN 3.0 Certification
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationAudit Logging. Overall Goals
Audit Logging Security Training by Arctec Group (www.arctecgroup.net) 1 Overall Goals Building Visibility In Audit Logging Domain Model 2 1 Authentication, Authorization, and Auditing 3 4 2 5 6 3 Auditing
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationOWASP Web Application Penetration Checklist. Version 1.1
Version 1.1 July 14, 2004 This document is released under the GNU documentation license and is Copyrighted to the OWASP Foundation. You should read and understand that license and copyright conditions.
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationTHREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application
THREAT MODELLING FOR SQL SERVERS Designing a Secure Database in a Web Application E.Bertino 1, D.Bruschi 2, S.Franzoni 2, I.Nai-Fovino 2, S.Valtolina 2 1 CERIAS, Purdue University, West Lafayette, IN,
More informationWeb Application Security Guidelines for Hosting Dynamic Websites on NIC Servers
Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationHomeland Security Red Teaming
Homeland Security Red Teaming Directs intergovernmental coordination Specifies Red Teaming Viewing systems from the perspective of a potential adversary Target hardening Looking for weakness in existing
More informationAuditing the Security of an SAP HANA Implementation
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2015 Wellesley Information Services. All rights reserved. Auditing the Security of an SAP HANA Implementation Juan Perez-Etchegoyen
More informationCommon Security Vulnerabilities in Online Payment Systems
Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited
More informationSemantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0
Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationSecurity Goals Services
1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;
More information